Use of Restricted Groups

[Ryan Sanders]

I am looking to use Restricted Groups on several domain security groups.
I would like to create a domain level GPO that contains explicit
membership to several highly sensitive security groups. I have read in
the documentation on this and it says it is not advise on Domain
Controllers.

What I can not find is why not. This works great in my lab.

Other considerations?

Thanks!

 

[Jorge de Almeida Pinto [MVP - DS]]

because ALL DCs will try to do the same as soon as they know about it...

read more here:
http://blogs.dirteam.com/blogs/gpog...y-and-AD-groups_2D002D00_not-a-good-idea.aspx

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx

 

[Ryan Sanders]

because ALL DCs will try to do the same as soon as they know about it...

read more here:
http://blogs.dirteam.com/blogs/gpog...y-and-AD-groups_2D002D00_not-a-good-idea.aspx

Great reading. Thanks for the input.

Based off that reading I am lead to believe that if I have a single DC
then I should not have problems using restricted groups to control
domain group membership?

 

[Jorge de Almeida Pinto [MVP - DS]]

true...
but what would happen if you suddendly install another DC and forget about
that configuration?

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx

 

[Ryan Sanders]

true...
but what would happen if you suddendly install another DC and forget about
that configuration?

Understood.

Thanks,
Ryan

 

[Joe Richards [MVP]]

And of course a single DC is a bad thing. It means on any kind of
failure you are doing a full domain restore. This isn't something you
generally want to have to do. Even if the second DC is a very small
underpowered machine it is better than nothing because it can reduce
your complete and utter downtime from hours/days to nothing and just
running in a reduced capacity. Plus you don't have to restore, you can
just rebuild and repromote your main DC which is much preferred to a
recovery.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm